The recent global incident caused by a technical error in CrowdStrike's Falcon security software brought to light a critical - yet often overlooked - aspect of cyber insurance— the necessity to expand risk considerations beyond traditional cyberattacks.
The incident, which originated from a faulty update, affected around 8.5 million devices and caused severe disruptions across multiple sectors, including airlines, supermarkets, and financial institutions.
Insured losses from this incident are expected to be the largest from a single cyber event since the NotPetya attack in 2017, with estimates from insurers suggesting a $5.4 billion impact on US Fortune 500 companies.
Interestingly, the estimated insured damages for American companies alone range from $540 million to $1.08 billion, accounting for only 10% to 20% of total disaster cost. This underscores the evolving nature of digital risks and the urgent need for insurers and companies to adapt proactively.
Expanding risk considerations
Cyber insurers must recognize that technical errors, like the one seen in the CrowdStrike incident, can be as disruptive as malicious cyberattacks. Errors of this nature can lead to significant business interruptions, data loss, and financial damage. Despite these significant losses, CrowdStrike’s liability is reportedly limited to the fees paid by affected companies.
Insurers need to revise their policies to include coverage for technical glitches, ensuring comprehensive protection for their clients. Some policies already acknowledge this need, covering business interruptions caused by non-malicious events. However, there is still room for improvement and broader adoption.
Disaster recovery to IT resilience
Businesses must shift their focus from merely recovering from disasters to building IT resilience. This approach ensures that technical errors are managed as tolerable incidents rather than full-scale disasters. IT resilience involves proactive measures such as regular system updates, rigorous testing of backup systems, and robust disaster recovery plans.
To enhance IT resilience, businesses should diversify their data storage solutions, using both cloud-based and on-premises systems to prevent data loss from a single point of failure.
Implementing redundant systems ensures continued operations during a technical error, while regular testing of backup and recovery systems helps identify and address potential vulnerabilities. Employee training on best practices for IT resilience and disaster recovery is crucial for minimizing the impact of technical errors.
Potential changes in insurance landscape
The insurance landscape is likely to evolve in response to such outages. Insurers may revise their policies to better cover technical errors and ensure that their clients have adequate protection against a broader range of risks. According to the Insurance Information Institute, cyber insurance premiums are projected to double over the next decade.
In 2022, premiums totalled $11.9 billion, and they are expected to reach $22.5 billion by 2025 and increase to $33.3 billion by 2027.
Business interruption, dependent business interruption, data restoration, incident response, and voluntary shutdown costs are expected to be the most directly affected areas of damage.
Necessity of coverage for technical errors
In today's tech-dependent world, insurance coverage for technical errors is not just a luxury but a necessity. Businesses rely heavily on IT systems for their daily operations, and even minor technical glitches can result in significant disruptions. Insurers must emphasize the importance of such coverage and work towards making it a standard inclusion in cyber insurance policies
The CrowdStrike incident also highlighted the vulnerability of interconnected systems and the potential for cascading failures. For instance, the outage caused gate screens to turn blue and blank at Denver International Airport, leading to significant disruptions in flight operations. Globally, over 5,000 flights were cancelled, representing 4.6% of scheduled flights for that day.
As the digital landscape continues to evolve, so too must the strategies employed by insurers to protect their clients. The need for comprehensive cyber insurance that covers a wide range of risks, including technical errors, has never been more apparent.
Insurers must rise to the challenge and provide the protection that today's businesses require. Only then can we ensure that the digital economy remains resilient and robust in the face of an increasingly complex threat landscape.
